[GitHub] [airflow] dstandish edited a comment on pull request #19324: Catch AccessDeniedException in AWS Secrets Manager Backend

[GitBox <gi...@apache.org>]

dstandish edited a comment on pull request #19324:
URL: https://github.com/apache/airflow/pull/19324#issuecomment-968316195


   > The boto3 secrets manager library will fail with ResourceNotFoundException if there are no restrictions in the IAM role, i.e. it has full access to secrets manager. That isn't practical for most organizations, as they will have several entities accessing secrets manager and do not want to give full access to all secrets by all of them. 
   
   OK so what you're saying here is that it's `not practical for most organizations` to catch `ResourceNotFoundException` because in most organizations they'll get `AccessDeniedException` instead,  because the cred exists but the instance does not have permission to access it.  
   
   But why is the airflow instance trying to retrieve the cred that it does not have access to in the first place?  That seems like a misconfiguration issue.  If the scheduler is trying to access, for example the value for `sql_alchemy_conn` from secrets backend (that's your scenario right?), and it is unable to do so, isn't the scheduler going to fail anyway?


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@airflow.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org